Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


mdf



2322 posts

Uber Geek

Trusted
Subscriber

# 240374 4-Sep-2018 22:16
Send private message

TL;DR version: recommendations as to reverse proxies for web app docker containers please. Emphasis on straightforward/good documentation rather than performance etc.

 

I am *very* new to web applications, but am trying to teach myself something new (more for the sake of it that anything; no specific projects in mind). There are a few web apps I've used previously without docker containers; right now, I am trying to figure out how to deploy the same apps inside containers. As I understand it, I need a reverse proxy to route traffic to the correct container.

 

I've had a look at both Apache and Nginx (as the web servers even I had heard of) and also have come across traefik.io, which seems to be designed for docker containers. However, the guides I've found seem to start of simple enough but then take off on a very steep learning curve that is beyond me so far (exhibit A: https://www.digitalocean.com/community/tutorials/how-to-use-traefik-as-a-reverse-proxy-for-docker-containers-on-ubuntu-16-04 - I did sort of get this one working, but did something wrong on the Let's Encrypt implementation).

 

Recommendations to help me stop flip flopping between options? Or particular guides/how tos/tutorials that you've found particularly helpful?


View this topic in a long page with up to 500 replies per page Create new topic
 1 | 2
924 posts

Ultimate Geek

Trusted

  # 2084113 4-Sep-2018 23:26
Send private message

I'd recommend learning Nginx first. Works great as a reverse proxy as well as a regular webserver. There are lots of tutorials out there, especially the LEMP tutorials on the Digital Ocean site. You don't need to run Nginx in a Docker container - you can just run it on the host and then use port forwarding on your Docker containers to determine where the traffic should go. But once you're comfortable working with Nginx it's easy to take what you've learned and bundle it up into a container.

734 posts

Ultimate Geek


  # 2084128 5-Sep-2018 05:51
Send private message

+1

 

NGINX contains a reverse proxy.

 

*Example*

 

 





- ISP1: T-OneBox FTTH modem, 1/.5G, full DS, VLAN7, VoIP + ipTV streaming flat

 

- ISP2: 4G/LTE USB modem + TL-MR3020, 100/40M data plan (wireless fallback)

 

- NET: ZBOX nano router, 2 C2960X-48TS-L, 2 GWN7630, GWN7610, EL1600usb

 

- SVR: E3C236 32G/20TB, H2 16G/2TB, 4 HC2 14/4/1/1TB, HC1 1TB, 42 Jetsons

 

- IoT+3D: LoRaWAN, 5G, CCU3 (openHAB/MQTT), 2 Ender-3, UM2E+, UM3, CNC

 

- USR: NUC8i7HVK, EliteBook 840, Aspire E5, N2, X300, tablet, mobiles, 2 4K TVs

 

- ipPBX: GRP2613, GO-Box 100, SPA112 (Fax and W-48, a 1948 Siemens phone)


 
 
 
 


4204 posts

Uber Geek


  # 2084134 5-Sep-2018 06:54
Send private message

Nginx!!!

Lots of the common "web apps" even have demo configs for Nginx in their wiki's.

To get started though, I found one of digital oceans guides very helpful.

@michaelmurfy helped with a config for the Unifi controller too.

Mr Snotty
8869 posts

Uber Geek

Moderator
Trusted
Lifetime subscriber

  # 2084151 5-Sep-2018 07:55
Send private message

I'm guilty with not using NGINX where I should just because I know Apache so well - but either one will work for you.

 

With me, I've got a Debian VM running on my UnRaid server acting as both an Apache server and a reverse proxy. It hosts multiple sites.

 

An example of a site hosted from my home server is https://quake.murfy.nz - the Quake site is running in Docker (on the VM - I didn't want it on my local UnRaid server). The configuration for it (in /etc/apache2/sites-available/quake.conf) is as follows:

 

<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName quake.murfy.nz
ServerAdmin michael@murfy.nz
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
Header unset X-Powered-By
Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains;"
ProxyPreserveHost On
RewriteEngine On
RewriteCond %{HTTP:Connection} Upgrade [NC]
RewriteRule /(.*) ws://127.0.0.1:49160/$1 [P,L]
ProxyPass /.well-known/acme-challenge !
ProxyPass / http://127.0.0.1:49160/
ProxyPassReverse / http://127.0.0.1:49160/
SSLCertificateFile /etc/letsencrypt/live/home.murfy.nz/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/home.murfy.nz/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>

 

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
</IfModule>

 

A few things to note in this configuration:
1) You're needing to run "a2enmod proxy_http" and "a2enmod proxy" - since I am using Websockets with this app "a2enmod proxy_wstunnel" is needed too. This enables these modules in Apache.
2) The RewriteRules are for the websocket connections running on quake. You can omit this if your app doesn't use websockets (inspect this using the Chrome inspect tool).
3) I am using LetsEncrypt for this so have rules to allow access to /.well-known/acme-challenge hosted in /var/www/html - this means LetsEncrypt can renew the SSL certificate for this site without just hitting the Proxied site every time it checks.
4) All my sites don't listen on Port 80 - they're SSL only. It is a good practice to get in to. I've got a strict transport policy set on all my sites with preloading enabled on my root domain (murfy.nz) so it is all HTTPS only.
5) The SSLCertificateFile and SSLCertificateKeyFile links to the LetsEncrypt keys on the server for SSL. I've got other sites hosted (for example - https://home.murfy.nz).
6) I've got a Cron job to automatically renew LetsEncrypt and reload the Apache configuration when that time comes. This updates the SSL on all domains hosted on this server.

 

For beginners - I think Apache is easier to configure and works just as well. The configuration for NGINX running on the UniFi server to achieve the same thing is much much bigger. NGINX is fast, but Apache is almost just as fast in most cases. I've got a site that gets over 2mil hits per day that uses Apache for example.

 

My VM on UnRaid is simply a Debian 9 VM running with 512mb of ram, it also runs a few things locally in Docker just to prevent potentially exposing my NAS to the internet. I however don't see any issues with running something like NextCloud on the NAS docker and using a VM to reverse proxy it (which I assume is what you're trying to do). With NextCloud omit the RewriteCond in bold as you don't need websockets proxied.

 

@mdf feel free to flick me a message at any time if you'd like me to configure some virtual servers on Apache or NGINX so you can then reuse the configuration for other things. Quite happy to help out if you're unable to figure it out.





308 posts

Ultimate Geek


  # 2084155 5-Sep-2018 08:09
Send private message

This cuts if for me https://github.com/jwilder/nginx-proxy , in combination with https://github.com/JrCs/docker-letsencrypt-nginx-proxy-companion for generating Let's Encrypt certs.

 

 


976 posts

Ultimate Geek

Trusted

  # 2084163 5-Sep-2018 08:40
Send private message

Was using NGINX but have moved to HA proxy.

 

http://www.loadbalancer.org/blog/nginx-vs-haproxy/

 

 

 

Hell for testing you can even containerise the proxy. 

 

 

 

FROM haproxy:1.7

 

 

COPY haproxy.cfg /usr/local/etc/haproxy/haproxy.cfg

 


86 posts

Master Geek


  # 2084180 5-Sep-2018 09:32
One person supports this post
Send private message

https://traefik.io/


 
 
 
 


628 posts

Ultimate Geek
Inactive user


  # 2084214 5-Sep-2018 10:28
Send private message

marpada:

 

This cuts if for me https://github.com/jwilder/nginx-proxy , in combination with https://github.com/JrCs/docker-letsencrypt-nginx-proxy-companion for generating Let's Encrypt certs.

 

 

 

 

^ this. It's what I do, and works great.


mdf



2322 posts

Uber Geek

Trusted
Subscriber

  # 2089925 13-Sep-2018 11:53
Send private message

Thanks all. I've kept plugging away at this and seem to be making some progress! traefik.io seems to be the winner so far - once I cracked it (I think - figuring out how the labels worked was key) it seems to be the most straightforward, albeit perhaps not with the best documentation for absolute n00bs. If anyone else stumbles across this thread looking for similar advice, this howto was probably the best introductory one I found (although some of the screen caps seem to be out of order): https://www.howtoforge.com/tutorial/ubuntu-docker-traefik-proxy/

 

There are bound to be follow up queries the deeper I get into this.


Mr Snotty
8869 posts

Uber Geek

Moderator
Trusted
Lifetime subscriber

  # 2089932 13-Sep-2018 11:59
Send private message

mdf:

 

Thanks all. I've kept plugging away at this and seem to be making some progress! traefik.io seems to be the winner so far - once I cracked it (I think - figuring out how the labels worked was key) it seems to be the most straightforward, albeit perhaps not with the best documentation for absolute n00bs. If anyone else stumbles across this thread looking for similar advice, this howto was probably the best introductory one I found (although some of the screen caps seem to be out of order): https://www.howtoforge.com/tutorial/ubuntu-docker-traefik-proxy/

 

There are bound to be follow up queries the deeper I get into this.

 

Excellent - may need to try traefik. Looks quite good!





226 posts

Master Geek


  # 2091283 16-Sep-2018 02:28
Send private message

HAProxy is the way to go, especially if you're dealing with WebSockets etc. They posted a great article the other day https://www.haproxy.com/blog/introduction-to-haproxy-acls/


mdf



2322 posts

Uber Geek

Trusted
Subscriber

  # 2092891 18-Sep-2018 21:57
Send private message

It's coming along! Now if only I could get the number of leading spaces required in the docker-compose.yml file right the first time...

 

As a matter of good/best practice, just wondering what others do for web apps requiring databases? Some containers I've been experimenting with include a SQL database in that container, some require an "external" database (which I've been setting up as a separate container), and some have the option of either.

 

For separate database containers, would you set up a dedicated container for each database, or use a common database - e.g. WordPress container 1, WordPress container 2 and MediaWiki container 1 speaking to the same database container, or a dedicated database container for each?

 

This is very much still just in the learning experimenting phase. I don't have specific use cases in mind, beyond having a server run a few web apps that I can then muck around with without fear of consequence when I break something important. I am not silly enough to actually use anything I build myself for any kind of live/important deployment.


628 posts

Ultimate Geek
Inactive user


  # 2092899 18-Sep-2018 22:06
Send private message

mdf:

 

It's coming along! Now if only I could get the number of leading spaces required in the docker-compose.yml file right the first time...

 

 

The number of spaces doesn't matter, as long as it is consistent at the same level. That, not not mixing tabs and spaces (been there, done that :) )

 

mdf:

 

As a matter of good/best practice, just wondering what others do for web apps requiring databases? Some containers I've been experimenting with include a SQL database in that container, some require an "external" database (which I've been setting up as a separate container), and some have the option of either.

 

For separate database containers, would you set up a dedicated container for each database, or use a common database - e.g. WordPress container 1, WordPress container 2 and MediaWiki container 1 speaking to the same database container, or a dedicated database container for each?

 

 

Definitely a separate container for your databases. Having your database in the same container as the app is the docker way™. The only time I would use a database in an application container is a SQLite database, since that doesn't have a daemon running.

 

As for one db container or one container per database, it's a personal preference. In my environment, I have a separate container for each database. Makes it a lot easier for docker-compose.yml as each database is unique. 


mdf



2322 posts

Uber Geek

Trusted
Subscriber

  # 2092904 18-Sep-2018 22:14
Send private message

stinger:

 

As for one db container or one container per database, it's a personal preference. In my environment, I have a separate container for each database. Makes it a lot easier for docker-compose.yml as each database is unique. 

 

 

Thanks @stinger. If I can steal another page from your playbook, how do you set up passwords for each database? Use a secrets file or just chuck it in the docker-compose environment? And distinct passwords for each database or one really secure one?


628 posts

Ultimate Geek
Inactive user


  # 2092905 18-Sep-2018 22:25
Send private message

mdf:

 

If I can steal another page from your playbook, how do you set up passwords for each database? Use a secrets file or just chuck it in the docker-compose environment? And distinct passwords for each database or one really secure one?

 

 

I have the database password in my docker-compose file (by setting .POSTGRES_PASSWORD in the environment). Given that the password needs to be stored unencrypted in the application container (or mounted to that container), I don't see any real benefit in trying to hide the password in the yml file (by using docker secrets for example). All my database passwords are random 24 character strings (generated with "pwgen 24 1"), and are different for each database. Of course you must trust everyone that has shell access on the docker host, but in my case, that is me, myself and I :)


 1 | 2
View this topic in a long page with up to 500 replies per page Create new topic



Twitter and LinkedIn »



Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

Logitech introduces new Made for Google keyboard and mouse devices
Posted 16-Oct-2019 13:36


MATTR launches to accelerate decentralised identity
Posted 16-Oct-2019 10:28


Vodafone X-Squad powers up for customers
Posted 16-Oct-2019 08:15


D Link ANZ launches EXO Smart Mesh Wi Fi Routers with McAfee protection
Posted 15-Oct-2019 11:31


Major Japanese retailer partners with smart New Zealand technology IMAGR
Posted 14-Oct-2019 10:29


Ola pioneers one-time passcode feature to fight rideshare fraud
Posted 14-Oct-2019 10:24


Spark Sport new home of NZC matches from 2020
Posted 10-Oct-2019 09:59


Meet Nola, Noel Leeming's new digital employee
Posted 4-Oct-2019 08:07


Registrations for Sprout Accelerator open for 2020 season
Posted 4-Oct-2019 08:02


Teletrac Navman welcomes AI tech leader Jens Meggers as new President
Posted 4-Oct-2019 07:41


Vodafone makes voice of 4G (VoLTE) official
Posted 4-Oct-2019 07:36


2degrees Reaches Milestone of 100,000 Broadband Customers
Posted 1-Oct-2019 09:17


Nokia 1 Plus available in New Zealand from 2nd October
Posted 30-Sep-2019 17:46


Ola integrates Apple Pay as payment method in New Zealand
Posted 25-Sep-2019 09:51


Facebook Portal to land in New Zealand
Posted 19-Sep-2019 18:35



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Support Geekzone »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.